Choosing the Best Option

There is no way to fully cover all the myriad factors in picking a specific encryption option in a (relatively) short paper like this, so we compiled a visual decision tree to at least get you into the right bucket.

Here are a few notes on the decision tree.

This isn’t exhaustive but should get you looking at the right set of technologies.

In all cases you will want secure external key management.

In general, for discreet data you want to encrypt as high in the stack as possible. When you don’t need as much separation of duties, encrypting lower may be easier and more cost effective.

For both database and cloud encryption, in a few cases we recommend you encrypt in the application instead.

When we list multiple options the order of preference is top to bottom.

As you use this tree keep the Three Laws in mind, since they help guide the security value of your decision.

Once you understand how encryption systems work, the different layers where you can encrypt, and how they combine to improve security (or not), it’s usually relatively easy to pick the right approach.

The hard part is to then architect and implement the encryption technology and integrate it into your data center, application, or cloud service. That’s where our other encryption research can be valuable, and the following reports should help:

Comments

Wed, March 18, 2015 7:18pm

Thank you Rich and gang. Interesting and useful blog. I especially like the flow chart graphic. Although, I would contend that for Database security of “Most or all fields being sensitive”, File-system level/Transparent File encryption is also a great solution. It encrypts your full database, if implemented correctly has very low overhead, and has the added advantage over TDE that it works on any database (not proprietary like TDE) and it also can be used to encrypt the associated unstructured data, such as config files, log files, and reports generated from the database.

By Charles Goldberg

Thu, February 26, 2015 3:59am

A short series but very interesting and useful. Thanks

By donald Callahan

If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.

Contact

About

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.